What is a prohibited AI practice under the EU AI Act?

As of February 2025, prohibited practices include: AI that manipulates people through subliminal techniques, social scoring systems, real-time biometric surveillance in public spaces, and AI that exploits vulnerabilities of specific groups. These are banned outright — not just regulated.

How should website owners review public AI disclosure signals?

Website owners can review visible public pages for chatbot labels, privacy policy references to AI-related data use, automated decision explanations, and human contact paths where relevant. PolicyGen provides educational guidance only and does not assess or certify AI regulatory compliance.

EU AI Act 2026: Public Website Disclosure Topics

The EU AI Act is no longer a future concern. Parts of it have been in force since February 2025. The next major deadline — high-risk AI system requirements — hits in August 2026. If you use AI on your website and you have European visitors, this is already affecting you.

This guide is educational, not a legal assessment. It summarizes public-facing disclosure topics website owners and agencies may want to review with qualified counsel.

Where we are right now (June 2026):

February 2025: Prohibited AI practices banned outright.
August 2025: Rules for general-purpose AI models (like GPT-4, Claude) in effect.
August 2026 (two months away): High-risk AI system requirements fully apply.
2027: Additional obligations for certain AI system categories.

What the EU AI Act Actually Regulates (The Short Version)

GDPR regulates what you do with personal data. The EU AI Act regulates AI systems themselves — the risk they pose, how transparent they are, and whether people affected by them have meaningful rights.

The law uses a risk pyramid. AI that could get someone denied a loan, fired from a job, or refused medical care is "high-risk" and faces strict requirements. AI that recommends a playlist is lower risk. The thing running your chatbot sits somewhere in between depending on what it does.

For most website operators, the immediately relevant questions are:

Are you using any prohibited AI practices? (Must stop immediately.)
Are you using AI that interacts with users without disclosing it? (Must disclose.)
Does your privacy policy reflect how AI processes visitor data? (Must update.)
Do users have a way to request human review of automated decisions? (Required in many cases.)

What's Already Banned: Prohibited Practices (Since February 2025)

These aren't regulated — they're prohibited. If you're doing any of these, stop now:

Subliminal manipulation. AI systems designed to influence people through techniques they're not consciously aware of — exploiting psychological weaknesses to get them to do something against their interests. This includes certain dark patterns driven by AI.

Social scoring. Using AI to rate or classify people based on their social behavior, personal characteristics, or economic status, and then treating them differently based on that score. This includes insurance systems that penalize people for browsing habits unrelated to their actual risk.

Real-time biometric surveillance in public spaces. Unless you're a law enforcement agency with specific authorisation, you cannot run AI that identifies people by their face, voice, or gait in public areas in real time.

Exploiting vulnerabilities. AI that specifically targets children, elderly people, or people with disabilities in ways that exploit their vulnerability to influence their behaviour.

Emotion recognition in workplaces and education. This is one the final regulation added that the original proposal didn't include. AI systems that infer emotional states of people in employment contexts or educational settings are banned outright — not regulated, banned. If you run HR software, hiring tools, or edtech that uses facial expression analysis or sentiment detection on employees or students, this applies directly to you.

Biometric categorisation to infer sensitive attributes. Using AI to infer people's religion, political views, sexual orientation, race, or trade union membership from biometric data — photos, voice, movement — is prohibited. This was expanded in the final regulation to cover private actors, not just public authorities. Social platforms or analytics tools that profile users this way are in prohibited territory.

Most legitimate website operators aren't doing any of these. But if you run AI-powered personalisation that works by exploiting emotional states, or dark-pattern chatbots designed to trap users into purchases, review carefully.

What Your Website Needs to Disclose

This is where most websites fall short — not because of malicious intent, but because AI features were added without updating the legal language.

Chatbots and virtual assistants

If users can interact with an AI chatbot on your site, you must clearly inform them they are interacting with AI before the interaction begins or at the outset. This cannot be buried in a footer. A "Powered by AI" label somewhere visible is the minimum.

If the chatbot is designed to resemble a real person and the user sincerely wants to know if they're talking to a human, you must disclose that it's an AI when asked.

AI-generated content

If your website uses AI to generate text, images, audio, or video content, and a reasonable person could mistake it for human-created content, disclosure requirements apply — particularly for deepfakes, AI-generated news articles, and synthetic media.

Automated decisions that affect users

If your website uses AI to make decisions that significantly affect individual users — pricing, access, content filtering, account moderation — those users have the right to know an AI was involved, understand the main factors behind the decision, and request a human review.

This is the requirement most website operators miss. If your system automatically bans accounts, adjusts prices based on user profiles, or restricts content access, you need a disclosed mechanism for human appeal.

What Your Privacy Policy Needs to Say

Most privacy policies written before 2023 don't mention AI at all. That's a problem when your site is running recommendation engines, AI chat, or automated content moderation.

Your privacy policy should now cover:

What AI systems you use and what they do (recommendation, moderation, personalisation, etc.)
What personal data they process and why
Whether automated decisions affect users and what the basis for those decisions is
How users can request human review of automated decisions
Whether AI processes data outside the EU (transfer rules still apply)

If you use a third-party AI tool (OpenAI, Anthropic, Google Gemini) in your product or on your site, you need to disclose that data may be processed by that provider, the same way you disclose Stripe for payments or Google Analytics for measurement.

The August 2026 Deadline: High-Risk AI

The August 2026 deadline applies to high-risk AI systems — those with meaningful impact on employment, education, credit, healthcare, public services, and law enforcement.

For most website operators, this doesn't mean building new systems. It means if you're using AI for things like:

Automated CV screening or hiring decisions
Credit or insurance risk scoring
Educational assessment or student performance evaluation
Medical diagnostic support

...then you're in high-risk territory and need documented conformity assessments, human oversight mechanisms, and technical documentation. This is where you need actual legal counsel.

For the majority of websites — content sites, SaaS products, e-commerce — the high-risk deadline isn't the immediate concern. The transparency and disclosure obligations that already apply are.

General Purpose AI: The August 2025 Rules

If you use a large general-purpose AI model in your product — GPT-4, Claude, Gemini, Mistral — the provider of that model has obligations under the GPAI rules that took effect August 2025. As a deployer of that model, you benefit from their compliance, but you still carry disclosure obligations for how you use it.

Practically: if your product's core feature is powered by an AI API, your website, privacy policy, and terms of service should say so.

How to Check What Your Website Currently Discloses

The fastest way to see what's missing is to look at your site from the outside — the way a regulator or a concerned user would.

Does your chatbot identify itself as AI before the conversation starts?
Does your privacy policy mention AI, automated decisions, or machine learning?
Do you have a visible path for users to request human review of automated decisions?
Does your cookie policy account for AI personalisation and profiling cookies?

Run a website trust scan

PolicyGen checks observable public website trust signals such as policy links, cookie and tracking disclosures, CMP detection, SSL/security-lite signals, and customer-facing trust paths.

Run a website trust scan →

What To Do This Month

Step 1: Audit your AI use. List every AI tool or feature on your website — chatbots, recommendation engines, content generation, automated moderation, personalisation. If you're not sure whether something counts, it probably does.

Step 2: Update your privacy policy. Add a section covering AI processing, what decisions it makes, and how users can request human review. If you use third-party AI APIs, name them.

Step 3: Label your chatbot. If you have an AI chatbot, make sure it identifies itself as AI clearly at the start of every conversation. Don't give it a human name without disclosure.

Step 4: Add a human review path. For any automated decisions that affect users, document and publish how they can request human review. Even a contact email with a stated purpose ("contact us to request review of an automated decision") satisfies the basic requirement.

Step 5: Get a lawyer's opinion on anything high-risk. If you're in hiring, credit, healthcare, or education, you need actual legal counsel — not a checklist.

Frequently Asked Questions

Does the EU AI Act apply to my website?

If your website uses AI systems that interact with EU users — chatbots, recommendation engines, automated content, scoring systems — the EU AI Act likely applies. You don't need to be based in the EU. The law covers any AI that affects people in the EU.

What does the EU AI Act require for websites in August 2026?

The August 2026 deadline applies to high-risk AI systems. For most websites, the immediately actionable requirements are: disclose when users are interacting with AI, don't use prohibited AI practices, and ensure your privacy policy reflects any AI processing of personal data.

Do I need to update my privacy policy for the EU AI Act?

Yes, if you use AI that processes personal data. Your privacy policy should disclose what AI systems you use, what decisions they make, what data they process, and how users can request human review of automated decisions.

Official Sources & Further Reading

EU AI Act — Official Text (Regulation 2024/1689, EUR-Lex) — The final adopted regulation, in force July 2024.
Original Commission Proposal (COM/2021/206) — The 2021 proposal that became the basis for the final law.
EU AI Act Compliance Checker — Future of Life Institute — An interactive tool to determine which obligations apply to your AI system. Not official EU guidance; seek legal advice for formal compliance.

PolicyGen provides informational guidance only and does not constitute legal advice. The EU AI Act is a complex regulation — consult qualified legal counsel for compliance decisions.